Skip to content
Browse files

TROVE-2017-005: Fix assertion failure in connection_edge_process_rela…


On an hidden service rendezvous circuit, a BEGIN_DIR could be sent
(maliciously) which would trigger a tor_assert() because
connection_edge_process_relay_cell() thought that the circuit is an
or_circuit_t but is an origin circuit in reality.

Fixes #22494

Reported-by: Roger Dingledine <>
Signed-off-by: David Goulet <>
  • Loading branch information...
dgoulet-tor authored and nmathewson committed Jun 5, 2017
1 parent 4ee48cb commit 56a7c5bc15e0447203a491c1ee37de9939ad1dcd
Showing with 9 additions and 1 deletion.
  1. +7 −0 changes/trove-2017-005
  2. +2 −1 src/or/relay.c
@@ -0,0 +1,7 @@
o Major bugfixes (hidden service, relay, security):
- Fix an assertion failure caused by receiving a BEGIN_DIR cell on
a hidden service rendezvous circuit. Fixes bug 22494, tracked as
TROVE-2017-005 and CVE-2017-0376; bugfix on Found
by armadev.

@@ -1297,7 +1297,8 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
"Begin cell for known stream. Dropping.");
return 0;
if (rh.command == RELAY_COMMAND_BEGIN_DIR) {
if (rh.command == RELAY_COMMAND_BEGIN_DIR &&
/* Assign this circuit and its app-ward OR connection a unique ID,
* so that we can measure download times. The local edge and dir
* connection will be assigned the same ID when they are created

0 comments on commit 56a7c5b

Please sign in to comment.
You can’t perform that action at this time.